Alan Calder on IT Governance, information security & ISO 27001

While one swallow might not make a summer, multiple breaches of one particular law (Information Commissioner: “we are already investigating two other breaches”) do rather suggest that the organization concerned has little interest in compliance with it.

Her Majesty’s Revenue and Customs (‘HMRC’) has, on a number of occasions, broken the law. Those involved in the breach, and their political masters who allowed it to happen, should be dismissed and prosecuted.

The law HMRC has broken is the Data Protection Act 1998 (‘DPA’). This is what DPA says: “Personal data shall not be processed unless…appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” (7th Principle).

The DPA provides explicit guidance on how to interpret this principle: “Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to—
(a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and
(b) the nature of the data to be protected.”

The data on the child benefit database (names, national insurance numbers, dates of birth, mother’s maiden names, bank account details, etc, of some 25 million people) is clearly personal data, and is clearly highly sensitive. The law therefore requires the Data Controller (in this case, HMRC) to take appropriate measures to ensure the security of the data. Even the most rudimentary of information security risk assessments would identify the danger of someone attempting to extract some or all of this data. Appropriate counter-measures should therefore, and rather obviously, include removal of any technical capability to ‘burn the database to a disc’. The supervisory failure that allowed a junior member of staff to export this data to a disc and then mail it, unencrypted, outside the organization is merely sympomatic of a deeper failure to make any effort whatsoever to comply with the DPA.

It seems to me that the time has come, not only for executives and ministers to be dismissed and prosecuted, but for two other steps:
1. All public sector organizations that deal with personal data should be required to achieve certification to the international information security standard ISO/IEC 27001 – and should be given no more than two years to complete certification;
2. The UK now needs a data breach law that brings significant financial penalties and criminal charges against those – from the top of the organization down – who fail to take security measures appropriate to the nature of the personal data being protected.

The increasing incidence and serious nature of internal threats to the security of corporate information is well demonstrated by the recent need for Cable & Wireless to injunct a former executive to hand a 100,00-strong customer database back to her former employer. While the former executive denies the allegation, the BBC has established that the database is being used illegally by Pakistan call centres.

An effective information security management system (ie an ISMS in line with ISO27001) would have identified this risk and guarded against it. Identifying, investigating and responding to this sort of white collar corporate crime will increasingly be part of the ISMS operation, which is why we have just added a selection of useful books on White Collar Crime and Computer Forensics to our website.

We expect more stories of this sort.

According to a new study of 500 IT and HR professionals, 45 percent of businesses fail to train staff in handling sensitive corporate data, and 46 percent have no plans to introduce such training. With Marks & Spencer providing the latest proof of how easily personal records can fall into the wrong hands, I can only hope that this survey is unrepresentative. At IT Governance, we stress at all times the vital importance of internal communications and training as vital weapons in safeguarding information assets. To think security can be achieved without this is self-deluding.

Read Compliance Week for 17 April 2007 – Battling the Wide World of Data Breaches – and be astonished that those who are responsible for such grievous breaches of basic data security aren’t just taken out and …..

If you want a regular dose of horror, get the RSS feed from the Attrition.org website. It seems clear to me that there are large numbers of organizations out there who truly, genuinely, don’t give a hoot about the security of their employee and customer personally identifiable information.

I mean, if the extent of the repercussions facing TJX don’t frighten CEOs and board directors – 18 class-action lawsuits (so far), 30 states conducting attorney-general investigations, a US$5 million pre-tax charge in Q4 of 2006, and the statement that: “beyond this charge, we do not have information to reasonably estimate losses we may incur arising from the computer intrusion” (and TJX does deserve it, allowing hackers to access credit card data from some 45.7 million customers) – then nothing will get their attention. After all, TJX is not the first example of gross incompetence on this scale, and it’s not as though the US doesn’t already have a battery of privacy and personal breach legislation on the books.

It’s also not as though best practice standards (eg ISO27001) don’t already exist; nor is it unobvious that laptops simply should not be loaded with personal data, not ever.

I think the only thing remaining is for everyone – customers, suppliers, partners – to simply cease dealing with organizations like TJX. Subscribe to Attrition.org and boycott those organizations that won’t get their act together.

A BBC TV programme, Inside Out, recently caused some red faces in the UK House of Commons by revealing that a six year-old girl was easily able to break into the parliamentary computer system by installing a keylogger on the PC of an MP.

Having managed to sneak the device in under the noses of one of the UK’s most vigilant security teams, the girl was able to swiftly attach the device while the MP agreed to leave her PC unattended for 60 seconds as part of the test.

This has brilliantly highlighted the increasing threat posed by keyloggers, which in the programme’s words are proving the “weapon of choice” for many fraudsters and criminals.

The real vulnerability that organisations face here is human, not technological. The keylogger is installed by someone physically attaching it to the PC, which can only be accomplished through the negligence, naivety or active help of someone within the organisation. A best practice information security management system adhering to ISO 27001 is the best possible defence against such vulnerabilities, as it addresses the staff training and awareness issues surrounding infosecurity in addition to technological defences.

This exchange on the blog of Doug Schweitzer adds some more useful colour here and highlights a couple of books that focus on the startling truth that the greatest security threat an organisation faces is from within.

Wise words on the topic of business continuity on ComputerWeekly’s website this week. The Business Continuity Institute’s Bill Crichton has stressed that continuity cannot simply be delivered by investing in the right piece of recovery kit. What is required is a far more all-embracing approach that involves policies, procedures and training, just as much as technology.

As I have written before, people often procrastinate over DR/BC measures because they don’t know where to start. The idea of a ‘fix-all’ recovery system may seem deceptively alluring. However, what is much more relevant is a good overview of the disaster landscape and a starter set of checklists, all of which is contained in our recently published book ‘Business Continuity and Disaster Recovery’, which is already proving very popular. This in turn equips the reader with the knowledge to decide which technology investments may genuinely help their continuity planning.

This research from Harvard and Carnegie Mellon universities shows that that large companies have no clear stock price-related incentive to prevent privacy breaches. Despite clear evidence of vulnerabilities that could seriously harm their interests, investors fail to give major quoted companies more than a mild slap on the wrist if their IT security is shown to be so lacking that there is a major breach of one or more privacy laws. After an initial dip, share prices quickly return to normal.

CIOs shouldn’t take this as a green light to reduce the cost of investment in protecting consumer privacy. The fact is that few institutional investors yet really understand the potentially very high direct and indirect costs of these breaches and so can’t yet make informed investment decisions.

As they become more knowledgeable (particularly with regulators becoming more determined around privacy), so the share price impact of a serious breach will become more dramatic and more prolonged. That, plus the possibility of SEC investigations and class-action suits, should be enough to keep CIOs and boards focused on their responsibilities around protecting personal information.

Citigroup announced earlier this week that personal details of 3.9 million consumer lending customers were lost by UPS while en route to a credit bureau.

How do you lose a set of tapes? I mean, UPS are supposed to be good at handling parcels – particularly ones that contain valuable information. Aren’t they?

And if you were CEO of Citigroup, and you knew that it was not unknown for storage partners to lose this sort of data (Time Warner, for instance, had lost 600,000 records just the month before), might you not have built the possibility into your risk assessment? (They do, I’m sure, do risk assessments at Citigroup.) And if you had, then might you not have spotted and provided for this risk as part of the “enhanced security procedures you require of your couriers”?

Or should we be thinking that the unenhanced security procedures were closer to, well, not much, really?

I’m sure we won’t be told.